A Fact Check on Medical Device Security

This may have been your question while reading my previous article about the security of connected medical devices, “Sobering Thoughts When a Connected Medical Device Is Connected to You.” Did laying in a hospital bed, connected to an infusion pump like the one used by security researchers to demonstrate how breaching such a device could be used to administer a fatal dose of medicine, create unnecessary angst? Or, did it draw the facts into clear focus?

I have come to make my case for the latter. I will use real data and a bit of favorably timed news to state my case.

Find more information about the actual attack on an infusion pump, much like the one that was my constant companion, in this demonstration by security researcher Billy Rios. There, you’ll find documentation on the delivery mechanism and the associated risks. With this evidence in hand, score one point for the savvy observer.

Medical device network vulnerability

Now let’s consider the network vulnerability of hospitals and other medical providers using that favorably timed news I mentioned. On Friday, May 12th, the WannaCry ransomware attack infected more than 230,000 computers in over 150 countries. The attack used two components: a propagation routine and a module used to perform extortion activities. The worm leveraged a Windows Server Message Block (SMB) vulnerability. This is a well-known attack tradecraft. It can be used to monitor authentication related traffic to gain unauthorized access to servers.

Many businesses were hit by WannaCry, but a notable victim was Britain's National Health Service (NHS). The attack within the NHS was pervasive enough that patient services were disrupted. Additionally, cases had to be diverted from some hospitals. Healthcare professionals were forced to treat patients without access to online patient records.

Note the use of the SMB attack. This exploit has been around since 2001, so it is not some exotic zero-day crafted by genius hackers in an enemy nation-state. The fact that it was used to propagate the work from server to server shows its ability to move within a network. It can also be used to create man-in-the-middle (MitM) attacks to gain authentication data. This creates entry points for attackers to access and manipulate a network as demonstrated at the NHS.

An industry unprepared to defend

We now have proof of network vulnerability and an actual documented attack in hand. Two points for the savvy observer. Thus, leaving the actual vulnerability of the medical devices in question. In May 2017, the Ponemon Institute issued a report (PDF) titled “Medical Device Security: An Industry Under Attack and Unprepared to Defend,” addressing this very subject. In the interest of full disclosure, the report was sponsored by Synopsys, my employer.

The report consists of two sets of survey responses: individuals who are involved in or have a role as a device maker, and targeted individuals who are involved in or have a role as healthcare delivery organizations (HDOs). Survey respondents include decision makers in manufacturing, quality assurance, IT, security, and compliance.

I will leave it to you to dive into the numbers. Some highlights include:

•67 percent of medical device manufacturers and 56 percent of HDOs believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months.

•80 percent of device makers and HDOs report that medical devices are very difficult to secure. The top reasons cited include lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.

•Only 9 percent of manufacturers and 5 percent of HDOs say they test medical devices at least once a year. Meanwhile, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.

The most compelling evidence for my case is that the report cites that “38 percent of respondents in HDOs say they are aware of inappropriate therapy/treatment delivered to the patient because of an insecure medical device and 39 percent of device makers confirm that attackers have taken control of medical devices.”

Data driven security measures

The Ponemon Institute results align with the findings of the Building Security In Maturity Model (BSIMM) which introduced healthcare as a vertical in BSIMM Version 6. The results showed that the data for healthcare fell behind the other verticals in the study. (Further disclosure: BSIMM is managed by Synopsys. I manage the team that builds the report and manages the two BSIMM Conferences.)

The data demonstrates that medical devices are indeed vulnerable to attack. Three points for truth and Chicken Little goes down.

I don’t want to paint everyone in the industry with too wide of a brush. I would like to say that my work exposes me to many healthcare providers that are deeply interested in security. The fact there exists a healthcare vertical in the BSIMM demonstrates there are providers committed enough to be measured so they can identify areas of improvement. They are addressing the risks proactively and directly.

I believe the industry is waking up to the breadth of the problems, and several organizations are forming a vanguard to show the way forward. I plan to discuss the way forward in more detail in subsequent articles.

For now, I am ready to rest my case as a savvy observer of truth. Unfortunately, being right won’t make me any more comfortable the next time I find myself connected to a connected medical device.

Jim Ivers is VP of Marketing for the Software Integrity Group at Synopsys. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Cigital, Jim was the CMO at companies such as Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.